| skipped 67 lines |
68 | 68 | | timestamp = options.timestamp |
69 | 69 | | start_time = time.time() |
70 | 70 | | |
71 | | - | http_userfields = [b'log',b'login', b'wpname', b'ahd_username', b'unickname', b'nickname', b'user', b'user_name', |
72 | | - | b'alias', b'pseudo', b'email', b'username', b'_username', b'userid', b'form_loginname', b'loginname', |
73 | | - | b'login_id', b'loginid', b'session_key', b'sessionkey', b'pop_login', b'uid', b'id', b'user_id', b'screename', |
74 | | - | b'uname', b'ulogin', b'acctname', b'account', b'member', b'mailaddress', b'membername', b'login_username', |
75 | | - | b'login_email', b'loginusername', b'loginemail', b'uin', b'sign-in', b'j_username'] |
76 | | - | |
77 | | - | http_passfields = [b'ahd_password', b'pass', b'password', b'_password', b'passwd', b'session_password', b'sessionpassword', |
78 | | - | b'login_password', b'loginpassword', b'form_pw', b'pw', b'userpassword', b'pwd', b'upassword', b'login_password', |
79 | | - | b'passwort', b'passwrd', b'wppassword', b'upasswd', b'j_password'] |
80 | | - | |
81 | 71 | | Filename = str(os.path.join(os.path.dirname(__file__),"CredentialDump-Session.log")) |
82 | 72 | | l= logging.getLogger('Credential-Session') |
83 | 73 | | l.addHandler(logging.FileHandler(Filename,'a')) |
| skipped 8 lines |
92 | 82 | | return |
93 | 83 | | with open(outfile,"r") as filestr: |
94 | 84 | | if re.search(codecs.encode(user,'hex'), codecs.encode(filestr.read().encode('latin-1'),'hex')): |
95 | | - | return False |
96 | | - | elif re.search(re.escape(b'$'), user): |
97 | 85 | | return False |
98 | 86 | | with open(outfile,"a") as outf2: |
99 | 87 | | outf2.write(data + '\n') |
| skipped 279 lines |
379 | 367 | | def ParseDataRegex(decoded, SrcPort, DstPort): |
380 | 368 | | HTTPUser = None |
381 | 369 | | HTTPass = None |
382 | | - | for user in http_userfields: |
383 | | - | user = re.findall(b'(%s=[^&]+)' % user, decoded['data'], re.IGNORECASE) |
| 370 | + | HTTPusername = re.search(b'log|login|wpname|ahd_username|unickname|nickname|user|user_name|alias|pseudo|email|username|_username|userid|form_loginname|loginname|login_id|loginid|session_key|sessionkey|pop_login|uid|id|user_id|screename|uname|ulogin|acctname|account|member|mailaddress|membername|login_username|login_email|loginusername|loginemail|uin|sign-in|j_username', decoded['data']) |
| 371 | + | if HTTPusername: |
| 372 | + | user = re.findall(b'(%s=[^&]+)' % HTTPusername.group(0), decoded['data'], re.IGNORECASE) |
384 | 373 | | if user: |
385 | 374 | | HTTPUser = user |
386 | 375 | | |
387 | | - | for password in http_passfields: |
388 | | - | passw = re.findall(b'(%s=[^&]+)' % password, decoded['data'], re.IGNORECASE) |
| 376 | + | HTTPPasswd = re.search(b'ahd_password|pass|password|_password|passwd|session_password|sessionpassword|login_password|loginpassword|form_pw|pw|userpassword|pwd|upassword|login_passwordpasswort|passwrd|wppassword|upasswd|j_password', decoded['data']) |
| 377 | + | if HTTPPasswd: |
| 378 | + | passw = re.findall(b'(%s=[^&]+)' % HTTPPasswd.group(0), decoded['data'], re.IGNORECASE) |
389 | 379 | | if passw: |
390 | 380 | | HTTPass = passw |
391 | 381 | | |
| skipped 164 lines |
556 | 546 | | pass |
557 | 547 | | |
558 | 548 | | if SrcPort == 445: |
559 | | - | SMBRead_userfields = [b'Administrator',b'user', b'email', b'username', b'session_key', b'sessionkey'] |
560 | | - | SMBRead_passfields = [b'cpassword',b'password', b'pass', b'password', b'_password', b'passwd', b'pwd'] |
561 | | - | for password in SMBRead_passfields: |
562 | | - | passw = re.findall(b'(?<=%s )[^\\r]*'%(password), decoded['data'], re.IGNORECASE) |
563 | | - | if passw: |
564 | | - | Message = "Found a password in an SMB read operation:\n%s:\n\"[%s]\""%(password.decode('latin-1'), b''.join(passw).decode('latin-1')) |
| 549 | + | SMBRead_passfields = re.search(b'cpassword|password|passwd', decoded['data'],re.IGNORECASE) |
| 550 | + | SMBRead_userfields = re.search(b'Administrator|user|email|username', decoded['data'],re.IGNORECASE) |
| 551 | + | if SMBRead_passfields: |
| 552 | + | smbpassw = re.findall(b'(?<=%s)[^\\r]*'%(SMBRead_passfields.group(0)), decoded['data'], re.IGNORECASE) |
| 553 | + | if smbpassw: |
| 554 | + | Message = "Found a password in an SMB read operation:\n[%s]\n"%(decoded['data'][95:].decode('latin-1')) |
565 | 555 | | HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort) |
566 | 556 | | if PrintPacket(Filename,Message): |
567 | 557 | | l.warning(HeadMessage) |
568 | 558 | | l.warning(Message) |
569 | 559 | | print(HeadMessage+'\n'+Message) |
570 | 560 | | |
571 | | - | for users in SMBRead_userfields: |
572 | | - | user = re.findall(b'(?<=%s )[^\\r]*'%(users), decoded['data'], re.IGNORECASE) |
573 | | - | if user: |
574 | | - | Message = "Found a username in an SMB read operation:\n%s:\n\"[%s]\""%(users.decode('latin-1'), b''.join(user).decode('latin-1')) |
| 561 | + | if SMBRead_userfields: |
| 562 | + | smbuser = re.findall(b'(?<=%s)[^\\r]*'%(SMBRead_userfields.group(0)), decoded['data'], re.IGNORECASE) |
| 563 | + | if smbuser: |
| 564 | + | Message = "Found a username in an SMB read operation:\n%s\n"%(decoded['data'][95:].decode('latin-1')) |
575 | 565 | | HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort) |
576 | 566 | | if PrintPacket(Filename,Message): |
577 | 567 | | l.warning(HeadMessage) |
| skipped 206 lines |